In the modern electronic world, the accepted means of achieving identification are largely based on pre-determined factors, such as “something you know” (such as password, PIN number, etc.), “something you have” (such as token, access card, etc.) or “something you are” (such as fingerprint, iris scan and etc.). The validation process validating the factors is commonly known as authentication. For example, if Alice and Bob were to go on a date, they can identify each other by: i) knowing the time and place to meet (1st factor authentication); ii) identifying the license plates of the cars they are driving (2nd factor authentication); and iii) recognizing each others' faces and voices upon greeting (3rd factor authentication). Naturally such authentication process would not be carried out done deliberately and rigorously, but subconsciously, every time they meet. Nevertheless, if Bob forgot the time to meet but still drove the same car, Alice would not be as suspicious as if Bob were driving a different car, or worse still if Bob looked different.
The combination of different authentication factors makes for a stronger possibility that the person being identified is accurately authenticated. For example, if a system requires only the user to present a secret password (one factor authentication) to be identified, while another system requires the user to present both a secret password and dynamic password generated from a unique token (Two-factor authentication or 2FA), the latter system shall be taken as a more secure system in authenticating users. There had been many successful attacks, such as phishing and pharming against systems implementing only one-factor authentication to ascertain the identity of the users, and such attacks are set to grown.
Even so, systems that running on the one-factor authentication are far outstrips systems that implement 2FA. 2FA are most commonly adapted by financial institution or the like. There are a myriad of reasons that one-factor authentication is more preferred over the 2FA. The reasons include cost feasibility, system feasibility, protocol compatibility and user controllability.
Many 2FA solutions, such as RSA, VASCO, DS3 and etc, are already exist commercially. It can be integrated at their backend systems to achieve 2-factor authentication for their users. Integrating 2FA solutions requires major upgrades or the existing systems. Accordingly, the cost of deploying and maintaining 2FA across the existing systems may outweigh the benefits derived. It becomes a main factor that dissuading organizations from such implementations.
While organizations strive to keep their application systems open and up-to-date, there would inevitably be some legacy applications or proprietary systems which are beyond the control of the organization to modify or re-configure. Even if the organization has an enterprise-wide 2FA solution in place, such systems will not be able to make use of the added security.
There are a number of password protocols that are incompatible with the use of 2FA. Kerberos, for example, that are widely used by many systems including Microsoft Windows Active Directory, the enterprise backbone of majority of the systems in the world is not compatible with 2FA. During the user login phase, the Kerberos Network Authentication protocol requires to manipulate the static password as part of key-exchange with the Kerberos server. The protocol does not work well with 2FA solutions when the user has to provide a static password and a dynamic password for transmitting to the backend authentication server.
There are a number of workarounds available which involve modifying the Windows GINA login process to separately handle the dynamic password, but these workarounds are cumbersome to deploy and even more difficult to maintain.
So far, the implementations of 2FA are left to the prerogative of the system owner. If the system owner chooses not to implement 2FA to protect the user accounts, there is no much the user can do besides choosing more complicated passwords and using only trusted machines to login.
This is very apparent on the Internet where majority of Internet and Web 2.0 services such as Gail, MSN, Yahoo, Facebook, MapleStory, etc. do not offer 2FA despite high demand from users. Users who want 2FA to protect their accounts are simply at the mercy of the system owners.